09/09/2020
Brazil's New Data Protection Law; Is Your Company Ready?
By Raquel Castro, Nicole Latorraca and Ingrid Frugoli, Partners at ABO IP
In recent years, a lot has been discussed about the Brazilian General Law of Data Protection (BGLDP), but have companies already adapted to the new reality?
BGLDP, or Law No. 13,709, deals with personal data, including in the digital environment, by a person or a company, either public or private, with the intention of protecting the fundamental rights of liberty and privacy and the development of an individual’s personality. It was ratified and published in 2018, and came into partial effect that year and should come into full effect in August 2021.
The Brazilian legislature decided to delay the introduction of certain provisions due to their understanding that a greater amount of time was necessary for society’s adaptation to the new law. This need for adaptation is essential for companies to understand and properly safeguard the data that they already possess, that is, implementing the personal data processing while protecting the fundamental rights of individuals.
Nowadays, companies are collecting individuals’ data even though it is not always essential for the delivery of services or products, sometimes even sensitive information about a person which identifies who they are, that is not necessary for the task in hand. To comply with BGLDP, any information that is could be used to identify an individual becomes personal data and must be dealt with appropriately. Such data can also including sensitive information, such as sexual orientation, race, genetic information, political alignment, religion, health-related information, and alike.
In this way data is now protected, with its own rights and duties, and it is now no longer seen as a consequence of a business or administrative activity. In the information age data is the essence of the activity, promoting a better functionality from the collected information. This caused the need for specific legislation, since the protection of privacy and personal data by general legislation was no longer sufficient.
This scenario has created the need for companies to go through a process of adaptation for the implementation and maintenance of a conformity programme, that should be done by a professional in charge of the data. Such a professional should understand all the company’s data needs and how to implement them, in an interdisciplinary way. Therefore, there should be communication between the compliance, corporate management, IT, human resources, and, of course, the legal department. Companies should only collect data necessary for the purpose of processing it, to avoid the risk of exposing the individuals concerned in case of disclosure of such data.
Large and medium enterprises are the most affected by the BGLDP, since they require an entire internal reformulation of their database for the process of implementing said law. However, that alone is not sufficient. Besides companies having to follow the specific legislation about the issue, everyone whose data was collected should also expressly consent with the delivery and processing of their data. For this reason, the older frameworks that had been used by companies to collect data without an individual’s consent, will no longer be accepted by the BGLDP. In such cases, there must be express consent, making the relationship between companies and individuals more transparent.
Moreover, in relation to security, Brazil also applies the institute of ‘privacy by design’, in which safety measures are observed from conception to the ex*****on of a product or service, in a way to avoid concerns about data leaks happening after the incident. However, unlike in the EU under the General Data Protection Regulation (GDPR), in the case of a security lapse regarding personal data, in addition to the National Authority of Personal Data Protection (NAPD), the individual whose data has been compromised must also be notified.
Nevertheless, it would be unreasonable to expose every single security incident in this way, therefore, there is an evaluation of the importance of such incidents to be reported to the data holder, within a reasonable time to be defined by the NAPD.
It is worth highlighting that the BGLDP will also be applicable to foreign companies. Even foreign companies situated overseas must abide by the guidelines set by the BGLDP, if they operate on Brazilian soil. Nonetheless, in case of necessity, there are options to make a data transference to an overseas branch or international headquarters, so long as the country of destination ensures that the data processing follows the Brazilian guidelines required by the BGLDP. And, at the end of the necessity, such data should be excluded according to the legislation.
For the proper operation of the imposed guidelines by the BGLDP, the State will rely on the NAPD to monitor the compliance with this law and, in cases of noncompliance with the law, to penalize accordingly. Furthermore, the NAPD will have the functions of regulating and preventively orienting the implementation of the law.
It is certain that the full implementation of the BGLDP will affect the processing of data in Brazil and how individuals and companies behave in relation to it. Therefore, those that do not adjust will be penalized with fines, warning letters, and even embargos. That is why the obedience and compliance with the BGLDP will be fundamental for companies that value their credibility and want to maintain their reputation amongst consumers.
